As I understand correctly to do this using SELinux I need a new user domain(customuser) which by default should deny all or I can start with predefined guest_t?

Next then for example I can enable netutils_exec_ping(customuser_t, customuser_r).

I responded that:

SELinux does not worry so much about executing individual programs, although it can do this. SELinux is basically about defining the access of a process type. Just because a program can execute another program does not mean that this process type is going to be allowed the access that the program requires. For example.

A user running as guest_t can execute su and sudo, and even if the user might discover the correct password to become root, they can not become root on the system, SELinux would block it. Similarly guest_t is not allowed to connect out of the system, so being able to execute ssh or ping does not mean that the user would be able to ping another host or ssh to another system.

This is far more powerful then just blocking access to certain programs, since the user theoretically could down load those programs to his homedir, and use them there.

There are lots of Turing complete tools that the user will get access to, that would allow them to write code to do pretty much what every application installed on the system can do.

Bottom line:

Blocking access to system objects and Linux Capabilities is far mor powerfull then blocking a user process from executing a program on disk.